From owner-freebsd-questions@FreeBSD.ORG Tue Oct 29 19:58:03 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 919BD417 for ; Tue, 29 Oct 2013 19:58:03 +0000 (UTC) (envelope-from casey@phantombsd.org) Received: from scottmail.org (scottmail.org [209.206.250.76]) by mx1.freebsd.org (Postfix) with ESMTP id 52FFF21C0 for ; Tue, 29 Oct 2013 19:58:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by scottmail.org (Postfix) with ESMTP id 0B15324A7CF for ; Tue, 29 Oct 2013 12:58:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at scottmail.org Received: from scottmail.org ([127.0.0.1]) by localhost (scottmail.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcwbdHCd3pAX for ; Tue, 29 Oct 2013 12:57:58 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by scottmail.org (Postfix) with ESMTP id 8353224A7CE for ; Tue, 29 Oct 2013 12:57:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at scottmail.org Received: from scottmail.org ([127.0.0.1]) by localhost (scottmail.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sbX2iGgFyycQ for ; Tue, 29 Oct 2013 12:57:57 -0700 (PDT) Received: from scottmail.org (bearcat.phantombsd.org [192.168.1.20]) by scottmail.org (Postfix) with ESMTP id CDDF124A7CA for ; Tue, 29 Oct 2013 12:57:57 -0700 (PDT) Date: Tue, 29 Oct 2013 12:57:57 -0700 (PDT) From: Casey Scott To: freebsd-questions@freebsd.org Message-ID: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> In-Reply-To: <1799676610.295.1383076646507.JavaMail.root@phantombsd.org> Subject: NAT/ipfw blocking internal traffic MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [208.95.100.4] X-Mailer: Zimbra 8.0.2_GA_5569 (ZimbraWebClient - GC30 (Win)/8.0.2_GA_5569) Thread-Topic: NAT/ipfw blocking internal traffic Thread-Index: 3cKgm/6ptMG8WNLL2tuh53HBurosRg== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Casey Scott List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2013 19:58:03 -0000 Hello, My NAT and ipfw ruleset follow almost exactly what is given at http://www.freebsd.org/doc/handbook/firewalls-ipfw.html The problem I'm encountering is that a portion of my outbound internal traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so I'm kind of at a loss since the config matches the handbook. Any suggestions are appreciated. uname -a *********************************************** FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64 *********************************************** /var/log/security: *********************************************** Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 174.129.210.177:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 65.126.84.88:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 65.126.84.88:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 *********************************************** firewall script: *********************************************** #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=fxp0 ks="keep-state" good_tcpo="22,25,37,43,53,80,443" ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 136 $skip udp from any to any 53 out via $pif $ks $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 151 $skip icmp from any to any out via $pif $ks $cmd 152 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif *********************************************** natd run options: *********************************************** /sbin/natd -dynamic -m -n fxp0 *********************************************** -Casey